The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes Certificate Management and IPSec Management and provides procedures for performing the following tasks:
•Manage Certificates and Certificate Trust Lists
•Download a Certificate or CTL
•Delete and Regenerate a Certificate
•Upload a Certificate or Certificate Trust List
•Download a Certificate Signing Request
•Monitor Certificate Expiration Dates
•Display or Change an Existing IPSec Policy
To download certificates from the server, ensure your Internet Explorer security settings are configured as follows:
Procedure
Step 1 Start Internet Explorer.
Step 2 Navigate to Tools>Internet Options.
Step 3 Click the Advanced tab.
Step 4 Scroll down to the Security section on the Advanced tab.
Step 5 If necessary, clear the Do not save encrypted pages to disk check box.
Step 6 Click OK.
The Certificate Management menu options allow you to perform the following functions:
•Display certificates
•Upload certificates and Certificate Trust Lists (CTL)
•Download certificates and CTLs
•Delete certificates
•Regenerate certificates
•Download and generate Certificate Signing Requests (CSR)
•Monitor certificate expiration dates
Note To access the Security menu items, you must re-log in to Cisco Unified Communications Operating System Administration using your Administrator password.
To display existing certificates, follow this procedure:
Procedure
Step 1 Navigate to Security>Certificate Management>Display Cert.
The Select Certificates or Trust Store window displays.
Step 2 Check the check box for the type of certificate that you want to display: Own Certificates or Trust Certificates.
The Display Certificates or Trust Units window displays.
Step 3 Check the check box for the certificate type that you want to display.
The Display Certificates or Trust Store window displays.
Step 4 Check the check box for the certificate of trust store that you want to display.
The Details of a Certificate window displays.
Step 5 After you have viewed the certificate details, choose another menu option to close the Details of Certificate window.
To download a certificate or CTL from the Cisco Unified Communications Operating System to your PC, follow this procedure:
Procedure
Step 1 Navigate to Security>Cerificate Management>Download Cert/CTL.
The Select Certificate/CTL/CSR Download windows displays.
Step 2 Check the check box for the appropriate download type: Own Cert, Trust Cert, or CTL file. Click Next.
The Download Certificates or Trust Units window displays.
Step 3 Check the check box for the existing certificate type that you want to download and click Next.
The Display Certificate/CTL/CSR Download window displays.
Step 4 Check the check box for existing certificates that you want to download and click Next.
The Certificate/CTL/CSR Download window displays.
Step 5 Click the Continue link.
A directory listing that shows the certificates that you chose displays.
Step 6 To save the certificate or CTL to your PC, right-click the name of the certificate or CTL and choose Save As.
Step 7 Enter the location where you want to save the certificate or CTL.
Step 8 Click Save.
To delete a trusted certificate, follow this procedure:
Procedure
Step 1 Navigate to Security>Certificate Management>Delete/Regenerate Cert.
Step 2 Check the Delete Trust Cert check box and click Next.
The Display Certificates or Trust Units For Delete/Regenerate window displays.
Step 3 Check the check box for the existing certificate type that you want to delete and click Next.
The Delete Certificates or Trust Store window displays.
Step 4 Check the Existing Certificate Name check box for the certificate that you want to delete and click Delete.
To regenerate a certificate, follow this procedure:
Procedure
Step 1 Navigate to Security>Certificate Management>Delete/Regenerate Cert.
The Select Certificates or Trust Store for Deletion window displays.
Step 2 Check the Regenerate Self-Signed Cert check box and click Next.
Step 3 Check the appropriate Existing Certificates Types check box for the certificate that you want to regenerate, and click Next.
Step 4 Check the appropriate Existing Certificate check box and click Regenerate.
When you save certificates that you obtained from a third-party Certificate Authority (CA) to your PC, Cisco recommends that you use Notepad to open and save the certificate because this method maintains the certificate format.
To upload a certificate or CTL to the server, follow this procedure:
Procedure
Step 1 Navigate to Security>Certificate Management>Delete/Upload Cert/CTL.
The Select Certificate/CTL Upload window displays.
Step 2 Check the existing certificate types check box for the certificate or CTL that you want to upload.
The Select Certificate/CTL Upload window displays.
Step 3 Enter the name of the certificate or CTL that you want to upload or click Browse to browse for the file.
Step 4 To upload the certificate or CTL, click Upload.
Note The system does not distribute trust certificates to other cluster nodes automatically. If you need to have the same certificate on more than one node, you must upload the certificate to each node individually.
To download a Certificate Signing Request, follow this procedure:
Procedure
Step 1 Navigate to Security>Certificate Management>Download/Generate CSR.
The Select Certificate type for CSR window displays.
Step 2 Check the Existing Certificate Types check box for the CSR that you want to download.
Step 3 Check the Download CSR if any check box.
The Certificate/CTL/CSR Download window displays.
Step 4 Click Continue.
A directory listing shows the certificates that you chose.
Step 5 To save the CSR to your PC, right-click the name of the certificate or CTL and choose Save As.
Step 6 Enter the location where you want to save the certificate or CTL.
Step 7 Click Save.
The system can automatically send you an e-mail when a certificate is close to its expiration date. To view and configure the Certificate Expiration Monitor, follow this procedure:
Procedure
Step 1 To view the current Certificate Expiration Monitor configuration, navigate to Security>Certificate Management>Cert Expiry Monitor>Display Config.
The Show Cert Expiry Monitoring Config window, which shows a summary of the current configuration information, displays.
Step 2 To configure the Certificate Expiration Monitor, navigate to Security>Certificate Management>Cert Expiry Monitor>Change Config.
The Change Cert Expiry Monitoring Config window displays.
Step 3 Enter the required configuration information. See Table 6-1 for a description of the Certificate Expiration Monitor fields.
Step 4 To save your changes, click Submit.
The IPSec menu options allow you to perform the following functions:
•Display or change an existing IPSec policy
•Set up a new IPSec policy
Note IPSec does not get automatically set up between nodes in the cluster during installation.
To display or change an existing IPSec policy, follow this procedure:
Note Because any changes that you make to an IPSec policy during a system upgrade will get lost, do not modify or create IPSec policies during an upgrade.
Procedure
Step 1 Navigate to Security>IPSEC Management>Display/Change IPSEC.
Note To access the Security menu items, you must re-log in to Cisco Unified Communications Operating System Administration using your Administrator password.
The Display IPSEC Policy window displays.
Step 2 Check the appropriate Existing Policy check box, and click Next.
Step 3 Perform one of the following actions:
–To view an IPSec policy, click the Display Detail link.
–To delete an IPSec policy, click Delete.
–To activate an IPSec policy, click Enable.
–To deactivate an IPSec policy, click Disable.
Step 4 If you click the Display Detail link, the Association Details window displays. For an explanation of the fields in this window, see Table 6-2.
To set up a new IPSec policy and association, follow this procedure:
Note Because any changes you make to an IPSec policy during a system upgrade will get lost, do not modify or create IPSec policies during an upgrade.
Procedure
Step 1 Navigate to Security > IPSEC Management > Setup New IPSEC.
The Setup Select window displays.
Step 2 Check the Certificate or Pre-Shared Key check box.
–If you check Certificate, check Same Type or Different Type node.
–If you check Pre-Shared Key, enter the key name.
Step 3 Click Next.
The Setup IPSEC Policy and Association window displays.
Step 4 Enter the appropriate information on the Setup IPSEC Policy and Association window. For a description of the fields on this window, see Table 6-2.
Step 5 To set up the new IPSec policy, click Submit.